Hackers are increasingly targeting machines and systems and causing production downtimes. Consequently, security is gaining importance in automation and becoming more of a focus for machine builders and operators of production facilities – out of self-interest and with a view to legal requirements.
As automation experts, Lenze provides the best possible protection for our hardware, software and digital services. However, machines and plants can only be comprehensively protected against cyber risks if all parties involved – i.e., automation specialists, machine builders, and operators – take the necessary measures.
This white paper provides machine builders and operators with orientation in the jungle of standards and regulations concerning cybersecurity for machines: It offers an overview of the legal framework, requirements according to standard 62443, and implementation options in practice.
In the meantime, there is hardly a company that does not know of cases in which there were significant production losses due to cyber-attacks. Therefore, concepts for dealing with cyber-attacks are a must-have in every company’s risk management. This development is also reflected in the Allianz Risk Barometer, where the topic of cybersecurity is in the first place (with a further upward trend in importance). As a rule, cybersecurity concepts include the elements of IT (Information Technology, i.e. HW and SW for use in business processes) and not OT (Operation Technology, i.e. HW and SW for controlling industrial processes). This separation is understandable, because classically the OT, which controls the production processes, is physically separate from the IT (air gap).
Over the Shoulder Shot of Engineer Working with CAD Software on Desktop Computer, Screen Shows Technical Drafts and Drawings. In the Background Engineering Facility Specialising on Industrial Design
In the best case, the OT has a separate network with no contact points with the IT. In addition, many OT components have proprietary SW that require very specialized knowledge to carry out a successful cyber-attack. The automation pyramid is typically used to represent the HW and SW used in a production company. The increasing networking across all pyramid levels, or the “dissolution” of the pyramid are obvious. To be able to implement the requirements of modern networking and data management in OT, the central elements of OT, the PLCs, are increasingly being based on standard operating systems.
This is referred to as COTS (Commercial Off-the-Shelf) software, i.e. commercial software that is pulled off the shelf. These operating systems (Linux is typical) have (almost) all the possibilities of implementing current communication protocols to realize extensive networking and data management.
Of course, the fact that PLCs are based on standard operating systems means that they are much more widely known and the number of potential vulnerabilities is much greater. PLCs are usually not directly connected to the Internet, but the ever-increasing networking with the company’s IT means that attacks can spread more easily to the OT as well.
This is also “attractive” to a potential attacker because they look for the largest possible number of components in the company network that can be attacked. This trend can also be seen in the fact that there are already the first toolboxes specializing in attacking the PLCs, or more generally, the ICS (Industrial Control Systems) of OT networks. Not only companies have a vested interest in avoiding cyber risks, but also states must ensure that their critical infrastructures (e.g. hospitals, banks, logistics centers for food distribution, etc.) function in the event of a cyber-attack. This is one of the reasons why many states have already developed national Cybersecurity strategies.
Answers on questions of the European data strategy and legislation for OT, attack detection, standards and do’s and don’ts are available in Lenze’s whitepaper ‘Security’.
To be downloaded here: Whitepaper (lenze.com)
